Chapter 6

File Infector

Infects files that the operating system or shell consider to be executable.

Monitored Behaviors

- Attempts to open, view, delete, and/or modify files - Attempts to format disk drives and other unrecoverable disk operations - Modifications to the logic of executable files or macros - Modification of critical system settings, such as start-up settings - Scripting of e-mail and instant messaging clients to send executable content - Initiation of network communications.

Virus Target Categories

- Boot Sector Infector - File Infector - Macro Virus - Multipartitie Virus

Trojan Horse Models

- Continuing to perform the function of the original program and additionally performing a separate malicious activity. - Continuing to perform the function of the original program but modifying the function to perform malicious activity or to disguise other malicious activity - Performing a malicious function that completely replaces the function of the original program

Mobile Code Methods

- Cross-Site Scripting - Interactive/Dynamic Web sites - E-mail attachments - Downloads from untrusted sites or of untrusted software

Bot Uses (HONE05)

- DDoS Attacks - Spamming - Sniffing Traffic - Keylogging - Spreading New Malware - Installing Advertisement Add-ons and BHOs - Attacking IRC Chat Networks - Manipulating Online Polls/Games

System Corruption Payloads

- Data destruction - Encryption of data for ransoming - Displaying unwanted messages or content - Real-world damage to a system These are attacks on the infected system's integrity (Or availability, for the ransomware)

Threat Mitigation Options

- Detection - Identification - Removal

Virus Phases

- Dormant phase - Propagation phase - Triggering phase - Execution phase

Virus Concealment Categories

- Encrypted Virus - Stealth Virus - Polymorphic Virus - Metamorphic Virus

Generations of Anti-Virus Software (STEP93)

- First generation: simple scanners - Second generation: heuristic scanners - Third generation: activity traps - Fourth generation: full-featured protection

Requirements for Malware Countermeasures

- Generality - Timeliness - Resiliency - Minimal DoS Costs - Transparency - Global and Local Coverage

Malware Categories

- How it spreads or propagates to reach the desired targets - The actions or payloads it performs once a target is reached

Virus Parts

- Infection Mechanism - Trigger - Payload

Propagation Mechanisms

- Infection of existing executable or interpreted content by viruses that is subsequently spread to other systems - Exploit of software vulnerabilities either locally or over a network by worms or drive-by downloads to allow the malware to replicate - Social engineering attacks that convince users to bypass security mechanisms to install Trojans, or to respond to phishing attacks.

Types of Perimeter Monitoring

- Ingress Monitors - Egress Monitors

Popular Mobile Code Vehicles

- Java apples - ActiveX - JavaScript - VBScript

Rootkit Techniques to Alter System Calls

- Modify System Call Table - Modify System Call Table Targets - Redirect System Call Table

Advanced Worm Features

- Multiplatform - Multi-Exploit - Ultrafast Spreading - Polymorphic - Metamorphic - Transport Vehicles - Zero-day Exploit

Rootkit Characteristics

- Persistent - Memory Based - User Mode - Kernel Mode - Virtual Machine Based - External Mode

Main Elements of Prevention

- Policy - Awareness - Vulnerability Mitigation - Threat Mitigation

Worm Network Scanning Strategies

- Random - Hit-List - Topological - Local Subnet

Worm Propagation Phase Functions

- Search for appropriate access mechanisms to other systems to infect by examining host tables, address books, buddy lists, trusted peers, and other similar repositories of remote system access details. Or by scanning possible target host addresses; or by searching for suitable removable media devices to use. - Use the access mechanisms found to transfer a copy of itself to the remote system, and cause the copy to be run.

Malware Detection Locations

- The infected system, via an "anti-virus" program - Perimeter security mechanisms in a firewall and IDS - Distributed mechanisms gathering data from both host-based and perimeter sensors -- Potentially over a large number of networks and organizations

Virus Categories

- The type of target the virus tries to infect - The method the virus uses to conceal itself from detection

Boot Sector Infector

Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus

Distributed Intelligence Gathering Approaches

1. Gathers data from a large number of both host-based and perimeter sensors 2. Relays this intelligence to a central analysis system able to correlate and analyze the data 3. The central system can then return updated signatures and behavior patterns to enable all of the coordinated systems to respond and defend against malware attacks

Fast-Flux DNS

A DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies

Trojan Horse

A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes it

Worm

A computer program that can run independently and propagate a complete working version of itself onto other hosts on a network, usually by exploiting software vulnerabilities in the target system. - Actively seeks out more machines to infect

Watering Hole Attack

A form of drive-by-download attack in which the attacker: - Researches their intended victims to identify websites they are likely to visit - Scans these sites to identify which are vulnerable - Compromises one or more of the sites and waits for the target(s) to arrive -- Code may even be written so ONLY the specified targets are hit by the trap

Stealth Virus

A form of virus explicitly designed to hide itself from detection by anti-virus software. Thus, the entire virus, not just a payload is hidden. - May use code mutation, compression, or rootkit techniques to achieve this.

Polymorphic Virus

A form of virus that creates copies during replication that are functionally equivalent but have distinctly different bit patterns, in order to defeat programs that scan for viruses. In this case, the "signature" of the virus will vary with each copy. - To achieve this variation, the virus may randomly insert superfluous instructions or interchange the order of independent instructions. - A more effective approach is to use encryption. The strategy of the encryption virus is followed.

Encrypted Virus

A form of virus that uses encryption to obscure it's content. A portion of the virus creates a random encryption key and encrypts the remainder of the virus. The key is stored with the virus. - When an infected program is invoked, the virus uses the stored random key to decrypt the virus. - When the virus replicates, a different random key is selected. - Because the bulk of the virus is encrypted with a different key for each instance, there is no constant bit pattern to observe.

Botnet

A logical computer network of zombies under the control of an attacker. - Attacks the integrity and availability of the infected system

Reconnaisance Payload

A malware payload intended to obtain certain types of desired information and return them to the attacker

Virus Signature Scanner (GD)

A module that scans the target code looking for known malware signatures.

Malicious Software (Malware) [SOUP13]

A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system or otherwise annoying or disrupting the victim - Threat to: -- Application programs -- Utility programs -- Kernel programs

CPU Emulator (GD)

A software-based virtual computer. Instructions in an executable file are interpreted by the emulator rather than executed on the underlying processor. - The emulator includes software versions of all registers and other processor hardware, so that the underlying processor is unaffected by programs

Phishing

A spam e-mail may direct a user to a fake Web site controlled by the attacker, or to complete some enclosed form and return to an e-mail accessible to the attacker, which is used to gather a range of private, personal, information on the user. - This is normally included in some message suggesting that urgent action is required by the user - Given sufficient details, the attacker can then "assume" the user's identity for the purpose of obtaining credit, or sensitive access to other resources.

Malvertising

A technique used to place malware on websites without actually compromising them - The attacker pays for advertisements that are highly likely to be placed on their intended target websites, and which incorporate malware in them. Using these malicious ads, attackers can infect visitors to sites displaying them. Again, the malware code may be dynamically generated to either reduce the chance of detection, or to only infect specific systems.

Macro Virus

A type of virus that uses macro or scripting code, typically embedded in a document, and triggered when the document is viewed or edited, to run and replicate itself into other such documents. - The evolution of the original machine executable code viruses

Syscall Number

A unique number assigned to each system call in a Linux system The kernel maintains a system call table with one entry per system call routine; each entry contains a pointer to the corresponding routine

Virus Permissions

A virus that attaches to an executable program can do anything that the program is permitted to do. It executes secretly when the host program is run. - Once the virus code is executing, it can perform any function, such as erasing files and programs, that is allowed by the privileges of the current user.

Clickjacking (User-Interface Redress Attack)

A vulnerability used by an attacker to collect an infected user's clicks, so they can force them to do things like adjust computer settings or go to a malicious website. - Through Adobe Flash or JavaScript, an attacker could even place a button under or over a legitimate button, making it difficult for users to detect. - A typical attack uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. - There are also keylogging versions of this

E-Mail or Instant Messenger Facility (Worm)

A worm e-mails a copy of itself to other systems, or sends itself as an attachment via an instant message service, so that its code is run when the e-mail or attachment is received or viewed.

File Sharing (Worm)

A worm either creates a copy of itself or infects other suitable files as a virus on removable media such as a USB drive; it then executes when the drive is connected to another system using the autorun mechanism by exploiting some software vulnerability, or when a user opens the infected file on the target system.

Remote Execution Capability (Worm)

A worm executes a copy of itself on another system, either by using an explicit remote execution facility or by exploiting a program flaw in a network service to subvert its operations

Remote Login Capability (Worm)

A worm logs onto a remote system as a user and then uses commands to copy itself from one system to the other, where it then executes

Remote File Access/Transfer Capability (Worm)

A worm uses a remote file access or transfer service to another system to copy itself from one system to the other, where users on that system may then execute it.

Persistent (Rootkit)

Activates each time the system boots. The rootkit must store code in a persistent storage site, such as the registry or file system, and configure a method by which the code executes without user intervention. - This means it is easier to detect, as the copy in persistent storage can potentially be scanned.

Adware

Advertising that is integrated into software. It can result in pop-up ads or redirection of a browser to a commercial site.

Drive-By-Download

An attack using code in a compromised Web site that exploits a browser vulnerability to attack a client system when the site is viewed - Usually doesn't actively propagate like a worm, instead waiting for a target to come to it

Backdoor (Trapdoor)

Any mechanism that bypasses a normal security check; it may allow unauthorized access to functionality in a program, or onto a compromised system

Metamorphic Virus

As with a polymorphic virus, a metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, using multiple transformation techniques, increasing the difficulty of detection. - May change behavior as well as appearance.

Resistant to Traditional File Access Control (Macro Virus)

Because macro viruses infect user documents rather than system programs, traditional file system access controls are of limited use in preventing their spread, since users are expected to modify them.

Transport Vehicles (Worm)

Because worms can rapidly compromise a large number of systems, they are ideal for spreading a wide variety of malicious payloads, such as distributed denial-of-service bots, rootkits, spam e-mail generators, and spyware

Attacking IRC Chat Networks (Bots)

Botnets are also used for attacks against Internet Relay Chat (IRC) networks. Popular among attackers is especially the so called clone attack: In this kind of attack, the controller orders each bot to connect a large number of clones to the victim IRC network. - The victim is flooded by service requests from thousands of bots or thousands of channel joins by these cloned bots. In this way, the victim IRC network is brought down, similar to a DDoS attack.

Spreading New Malware (Bots)

Botnets are used to spread new bots. This is very easy since all bots implement mechanisms to download and execute a file via HTTP or FTP. A botnet with 10,000 hosts that acts as the start base for a worm or mail virus allows very fast spreading and thus causes more harm

Installing Advertisement Add-ons and BHOs (Bots)

Botnets can be used to gain financial advantages. This works by setting up a fake Web site with some advertisements: The operator of this Web site negotiates a deal with some hosting companies that pay for clicks on ads. With the help of a botnet, these clicks can be "automated" so that instantly a few thousand bots click on the pop-ups. - This process can be further enhanced if the bot hijacks the start-page of a compromised machine so that the "clicks" are executed each time the victim uses the browser.

Sniffing Traffic (Bots)

Bots can use a packet sniffer to watch for interesting cleartext data passing by a compromised machine. The sniffers are mostly used to retrieve sensitive information like usernames and passwords

Kernel Mode (Rootkit)

Can intercept calls to native APIs in kernel mode. The rootkit can also hide the presence of a malware process by removing it from the kernel's list of active processes.

Keyloggers

Captures keystrokes on a compromised system

Logic Bomb

Code inserted into malware by an intruder. It lies dormant until a predefined condition is met; the code then triggers an unauthorized act. - A key component for data corruption

Exploits

Code specific to a single vulnerability or set of vulnerabilities.

Downloaders

Code that installs other items on a machine that is under attack. It is normally included in the malware code first inserted on to a compromised system to then import a larger malware package

Emulation Control Module (GD)

Controls the execution of the target code and periodically interrupts interpretation to use the Virus Signature Scanner

Advanced Persistent Threats (APTs)

Cybercrime directed at business and political targets, using a wide variety of intrusion technologies and malware, applied persistently and effectively to specific targets over an extended period, often attributed to state-sponsored organizations.

Persistent (APT)

Determined application of the attacks over an extended period against the chosen target in order to maximize the chance of success. A variety of attacks may be progressively, and often stealthily, applied until the target is compromised.

Random Scanning

Each compromised host probes random addresses in the IP address space, using a different seed. This technique produces a high volume of Internet traffic, which may cause generalized disruption even before the actual attack is launched.

Multipartitie Virus

Infects files in multiple ways. Typically, the multipartite virus is capable of infecting multiple types of files, so that virus eradication must deal with all of the possible sites of infection

Generic Decryption (GD)

Enables the antivirus program to easily detect even the most complex polymorphic viruses and other malware, while maintaining fast scanning speeds Contains the following elements: - CPU Emulator - Virus Signature Scanner - Emulation Control Module

Ultrafast Spreading (Worm)

Exploit various techniques to optimize the rate of spread of a worm to maximize its likelihood of locating as many vulnerable machines as possible in a short time period.

Memory Based (Rootkit)

Has no persistent code and therefore cannot survive a reboot. However, because it is only in memory, it can be harder to detect.

Local Subnet Scanning

If a host can be infected behind a firewall, that host then looks for targets in its own local network. The host uses the subnet address structure to find other hosts that would otherwise be protected by the firewall

Keylogging (bots)

If the compromised machine uses encrypted communication channels (e.g. HTTPS or POP3S), then just sniffing the network packets on the victim's computer is useless - By using a keylogger, which captures keystrokes on the infected machine, an attacker can retrieve sensitive information.

Metamorphic (Worm)

In addition to changing their appearance, metamorphic worms have a repertoire of behavior patterns that are unleashed at different stages of propagation.

Keylogger Defense

In response to the use of keyloggers, some banking and other sites switched to using a graphical applet to enter critical information, such as passwords. - Since these do not use text entered via the keyboard, traditional keyloggers do not capture this information

Worm Propagation Phases

In the initial phase, the number of hosts increases exponentially, but slowly. In the middle phase infecting hosts waste some time attacking already infected hosts, which reduces the rate of infection - Infection becomes linear instead of exponential, but is rapid In the final phase most vulnerable computers have been infected and the worm is slowly seeking out those remaining hosts that are difficult to identify

Host-Based Behavior-Blocking Software

Integrates with the operating system of a host computer and monitors program behavior in real time for malicious action - Blocks potentially malicious actions before they have a chance to affect the system - Blocks software in real time so it has an advantage over anti-virus detection techniques such as fingerprinting or heuristics

User Mode (Rootkit)

Intercepts calls to APIs and modifies returned results. For example, when an application performs a directory listing, the return results do not include entries identifying the files associated with the rootkit.

Ingress Monitors

Located at the border between the enterprise network and the Internet - Can be part of the _________ filtering software of a border router or external firewall or a separate passive monitor - Can use anomaly, signature and heuristic approaches to detect malware - Software can be housed in a honeypot

Easily Spread (Macro Virus)

Macro viruses are easily spread, as the documents they exploit are shared in normal use. A very common method is by electronic mail.

Infect Documents, Not Code (Macro Virus)

Macro viruses infect documents, not executable portions of code. Most of the information introduced onto a computer system is in the form of documents rather than programs. - More potential targets

Auto-Rooter

Malicious hacker tools used to break into new machines remotely.

Virus

Malware that, when executed, tries to replicate itself into other executable machine or script code; when it succeeds, the code is said to be infected. When the infected code is executed, the virus also executes (First) - Viruses can spread over the network if they code they're embedded in is sent elsewhere - Named by Fred Cohen, who wrote a book on the subject

Keylogger

Malware which captures keystrokes on the infected machine to allow an attacker to monitor sensitive information. - Keyloggers typically implement some form of filtering mechanism that only returns information close to desired keywords (e.g., "login" or "password" or "paypal.com").

Platform Independence (Macro Virus)

Many macro viruses infect active content in commonly used applications, such as macros in Microsoft Word documents or other Microsoft Office documents, or scripting code in Adobe PDF documents. Any hardware platform and operating system that supports these applications can be infected.

Third Generation Anti-Virus

Memory-resident programs that identify malware by its actions rather than its structure in an infected program. - Have the advantage that it is not necessary to develop signatures and heuristics for a wide array of malware. - Rather, it is necessary only to identify the small set of actions that indicate malicious activity

Multi-Exploit (Worm)

New worms penetrate systems in a variety of ways, using exploits against Web servers, browsers, e-mail, file sharing, and other network-based applications; or via shared media.

Multiplatform (Worm)

Newer worms are not limited to Windows machines but can attack a variety of platforms, especially the popular varieties of UNIX; or exploit macro or scripting languages supported in popular document types.

Identification (Threat Mitigation)

Once detection has been achieved, identify the specific malware that has infected the system

Detection (Threat Mitigation)

Once the infection has occurred, determine that it has occurred and locate the malware.

Removal (Threat Mitigation)

Once the specific malware has been identified, remove all traces of malware virus from all infected systems so that it cannot spread further

Manipulating Online Polls/Games

Online polls/games are getting more and more attention and it is rather easy to manipulate them with botnets. Since every bot has a distinct IP address, every vote will have the same credibility as a vote cast by a real person. - Online games can be manipulated in a similar way

Fourth Generation Anti-Virus

Packages consisting of a variety of anti-virus techniques used in conjunction. - These include: -- Scanning -- Activity trap components -- Access control capability, which limits the ability of malware to penetrate a system and then limits the ability of a malware to update files in order to propagate

Information Theft Payloads

Payloads where the malware gathers data stored on the infected system for use by the attacker - Frequently the targeted data are login credentials - Certain documents or system configuration details may sought as well

Ideal Solution to Malware

Prevention: Do not allow malware to get into the system in the first place, or block the ability of it to modify the system

Zombie, bot

Program activated on an infected machine that is activated to launch attacks on other machines

First Generation Anti-Virus

Requires a malware signature to identify the malware. The signature may contain "wildcards" but matches essentially the same structure and bit pattern in all copies of the malware. - Such signature-specific scanners are limited to the detection of known malware. Another type of first-generation scanner maintains a record of the length of programs and looks for changes in length as a result of virus infection.

Rootkit Countermeasures

Requires a variety of network- and computer-level security tools. Both network-based and host-based IDSs can look for the code signatures of known rootkit attacks in incoming traffic. Host-based anti-virus software can also be used to recognize the known signatures. - Can also look for behaviors in case the rootkit uses a novel signature - Can also perform file integrity checks

Egress Monitors

Same as an Ingress monitor, but can also be located at the ________ point of individual LANs on the enterprise network as well as at the border between the enterprise network and the Internet - Designed to catch the source of a malware attack by monitoring out-going traffic for signs of scanning or other suspicious behavior

Second Generation Anti-Virus

Scanner uses heuristic rules to search for probable malware instances. One class of such scanners looks for fragments of code that are often associated with malware. Another _________-generation approach is integrity checking. A checksum can be appended to each program. If malware alters or replaces some program without changing the checksum, then an integrity check will catch this change. - To counter malware that is sophisticated enough to change the checksum when it alters a program, an encrypted hash function can be used. The encryption key is stored separately from the program so that the malware cannot generate a new hash code and encrypt that. -- If a protected list of programs in trusted locations is kept, this approach can also detect attempts to replace or install rogue code or programs in these locations.

Backdoor/Trapdoor

Secret entry point into a program that allows someone who is aware of it to gain access without going through the usual security access procedures. - Can be used to legitimately debug and test programs (In this case it's called a Maintenance Hook) - Can also be used as a network service, to listen on some non-standard port the attacker can issue commands to the infected system through

Rootkit

Set of hacker tools used after the attacker has broken into a computer system and gained root-level access - Helps maintain this access, while hiding evidence of the attacker - Alters the host's standard functionality in a malicious and stealthy way

Attack Kit

Set of tools for generating new malware automatically using a variety of supplied propagation and payload mechanisms.

Mobile Code

Software (e.g., script, macro, etc) that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics.

Spyware

Software that collects information from a computer and transmits it to another system by monitoring keystrokes, screen data, and/or network traffic; or by scanning files on the system for sensitive information. - Sometimes may dynamically modify data exchanged between the browser and certain websites of interest

Ransomware

Software that encrypts programs and data until a ransom is paid to decrypt it and remove the malware.

Payload Examples

System corruption, bots, phishing, spyware, theft of services or information (Keylogging, etc.) and rootkits

Global and Local Coverage

The approach should be able to deal with attack sources both from outside and inside the enterprise network

Resiliency

The approach should be resistant to evasion techniques employed by attackers to hide the presence of their malware

Timeliness

The approach should respond quickly so as to limit the number of infected programs or systems and the consequent activity

Minimal DoS Costs

The approach should result in minimal reduction in capacity or service due to the actions of the countermeasure software, and should not significantly disrupt normal operation

Generality

The approach taken should be able to handle a wide variety of attacks.

Hit-List Scanning

The attacker first compiles a long list of potential vulnerable machines. - This can be a slow process done over a long period to avoid detection that an attack is underway. Once the list is compiled, the attacker begins infecting machines on the list. - Each infected machine is provided with a portion of the list to scan. This strategy results in a very short scanning period, which may make it difficult to detect that infection is taking place.

Modify System Call Table (Rootkit)

The attacker modifies selected syscall addresses stored in the system call table. This enables the rootkit to direct a system call away from the legitimate routine to the rootkit's replacement.

Modify System Call Table Targets

The attacker overwrites selected legitimate system call routines with malicious code. The system call table is not changed

Redirect System Call Table

The attacker redirects references to the entire system call table to a new table in a new kernel memory location

Worm Introduction

The concept of a computer worm was introduced in John Brunner's 1975 SF novel The Shockwave Rider. The first known worm implementation was done in Xerox Palo Alto Labs in the early 1980s. It was nonmalicious, searching for idle systems to use to run a computationally intensive task.

Transparency

The countermeasure software and devices should not require modification to existing (legacy) OSs, application software, and hardware

Trigger (Virus)

The event or condition that determines when the payload is activated or delivered - Sometimes known as a logic bomb.

Worm Target Discovery (Scanning/Fingerprinting)

The first function in the propagation phase for a network worm is for it to search for other systems to infect

Host-Based Scanners

The first location where anti-virus software is used is on each end system. This gives the software the maximum access to information on not only the behavior of the malware as it interacts with the targeted system, but also the smallest overall view of malware activity. - Can be regarded as a form of host-based intrusion detection system

Execution Phase

The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files.

Behavior Blocker Limitation

The malicious code must run on the target machine before all its behaviors can be identified, thus it can cause harm before it has been detected and blocked

External Mode (Rootkit)

The malware is located outside the normal operation mode of the targeted system, in BIOS or system management mode, where it can directly access hardware.

Infection Mechanism (Virus)

The means by which a virus spreads or propagates, enabling it to replicate. - Also referred to as the infection vector.

Mutation Engine

The portion of a polymorphic virus that is responsible for generating keys and performing encryption/decryption - It is altered with each use.

Propagate

The spreading of malware - Used by viruses, worms and Trojans

Triggering Phase

The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself.

Dormant Phase

The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage

Propagation Phase

The virus places a copy of itself into other programs or into certain system areas on the disk. - The copy may not be identical to the propagating version; viruses often morph to evade detection. - Each infected program will now contain a clone of the virus, which will itself enter a propagation phase.

Mobile Phone Worms

These worms communicate through Bluetooth wireless connections or via the multimedia messaging service (MMS). - The target is the smartphone, which is a mobile phone that permits users to install software applications from sources other than the cellular network operator

Spear-Phishing

This again is an e-mail claiming to be from a trusted source. However, the recipients are carefully researched by the attacker, and each e-mail is carefully crafted to suit its recipient specifically, often quoting a range of information to convince them of its authenticity.

Perimeter Scanning Limitation

This approach is limited to scanning the malware content, as it does not have access to any behavior observed when it runs on an infected system

Topological Scanning

This method uses information contained on an infected victim machine to find more hosts to scan.

VM Based (Rootkit)

This type of rootkit installs a lightweight virtual machine monitor, and then runs the operating system in a virtual machine above it. The rootkit can then transparently intercept and modify states and events occurring in the virtualized system

Threats (APT)

Threats to the selected targets as a result of the organized, capable, and well-funded attackers intent to compromise the specifically chosen targets. The active involvement of people in the process greatly raises the threat level from that due to automated attack tools, and also the likelihood of successful attack.

Zero-Day Exploit (Worm)

To achieve maximum surprise and distribution, a worm should exploit an unknown vulnerability that is only discovered by the general network community when the worm is launched

Polymorphic

To evade detection, skip past filters, and foil real-time analysis, worms adopt virus polymorphic techniques. Each copy of the worm has new code generated on the fly using functionally equivalent instructions and encryption techniques.

Worm Replication

To replicate itself, a worm uses some means to access remote systems. - E-Mail or Instant Messenger Facility - File Sharing - Remote Execution Capability - Remote File Access/Transfer Capability - Remote Login Capability

Spyware Detection and Removal

Tools that specialize in the detection and removal of spyware, and provide more robust capabilities. Thus they complement, and should be used along with, more general anti-virus products

Social Engineering

Tricking users to assist in the compromise of their own systems or personal information

Mobile Phone Trojans

Trojans that target smart phones and are typically distributed using app marketplaces

Worm Phases

Typically follows the same four phases as a virus

Perimeter Scanning Approaches

Typically included in e-mail and Web proxy services running on these systems. It may also be included in the traffic analysis component of an IDS. - This gives the anti-virus software access to malware in transit over a network connection to any of the organization's systems, providing a larger scale view of malware activity. This software may also include intrusion prevention measures, blocking the flow of any suspicious traffic, thus preventing it reaching and compromising some target system, either inside or outside the organization.

Spam

Unsolicited bulk e-mail - Some estimates suggest it accounts for 90% of all e-mail - Types -- Advertisements -- Scams -- Malware -- Phishing

Advanced (APT)

Use by the attackers of a wide variety of intrusion technologies and malware, including the development of custom malware if required. The individual components may not necessarily be technically advanced, but are carefully selected to suit the chosen target.

Flooders (DoS client)

Used to generate a large volume of data to attack networked computer systems, by carrying out some form of denial-of-service (DoS) attack.

Spammer Programs

Used to send large volumes of unwanted e-mail.

Blended Attack

Uses multiple methods of infection or propagation, to maximize the speed of contagion and the severity of the attack. - Some malware even support an update mechanism that allows it to change the range of propagation and payload mechanisms utilized once it is deployed.

Goal of APTs

Varies from theft of intellectual property or security and infrastructure related data to the physical disruption of infrastructure

Crimeware

Virus-creation toolkits built to help create and tweak malware. They include a variety of propagation mechanisms and payload modules that even novices can combine, select, and deploy. They can also easily be customized with the latest discovered vulnerabilities

Remote Control Facility

What distinguishes a bot from a worm - Worms propagate and activate independently - Bots are control by some form of command-and-control (C&C) server network

Payload (Virus)

What the virus does, besides spreading. The payload may involve damage or may involve benign but noticeable activity.

Attack Agent Payloads

Where the payload subverts the infected system for use by the attacker

Spamming (Bots)

With the help of a botnet and thousands of bots, an attacker is able to send massive amounts of spam.

Classic Epidemic MOdel

[dI(t) / dt] = Beta*I(t) * S(t) I(t) = number of individuals infected as of time t S(t) = number of susceptible individuals (susceptible to infection but not yet infected) at time t Beta = infection rate N = size of the population, N = I(t) + S(t)

Stealth Payloads

techniques used by malware to hide its presence on the infected system, and to provide covert access to that system. - This type of payload also attacks the integrity of the infected system.